Cisco ASA VPN XML Parser Denial of Service Vulnerability
The AEC team of ethical hackers discovered and reported serious vulnerability of the Cisco systems.
Abude Difficulty: Low
The identified vulnerability is caused by an error in XML (Extensible Markup Language) parser, which is a software component WebVPN in Cisco ASA products. It is possible to abuse this vulnerability with the aid of a specially-created set of XML entities sent unauthenticated by remote means of communication. Successful abuse of the vulnerability leads to the disconnection of all constructed SSl VPN connections, system instability, and restart. There is an actual risk of long-term effect of the attack, as well as long-lasting inability to use the VPN (Virtual private network) of a disabled company.
Cisco ASA device configured for Clientless or AnyConnect SSL VPN a AnyConnect IKEv2 VPN.
These versions of os software are vulnerable:
- Cisco ASA Software 8.4 prior to 8.4(7.28)
- Cisco ASA Software 8.6 prior to 8.6(1.17)
- Cisco ASA Software 9.0 prior to 9.0(4.32)
- Cisco ASA Software 9.1 prior to 9.1(6)
- Cisco ASA Software 9.2 prior to 9.2(3.4)
- Cisco ASA Software 9.3 prior to 9.3(3)
The vulnerability was reported by Cisco corporation. With respect to our customers we decided to publish all the details after a long enough period of time which ensured the appropriate level of remedial action in the companies that we protect.
Recommendation by AEC
Mitigation measures at the ambient level and prepending systems are not effective. If you use an older solution version than stated above, contact the system suppliers and ask for a patch.
More details are available at the official links of Cisco cooperation below:
Proof of Concept
Below we highlight an example of a requirement leading to the successful abuse of the vulnerability, causing the service to be unavailable. The requirement was modified to maintain anonymity.
POST / HTTP/1.1
<?xml version=”1.0″ encoding=”utf-8″?>
<config-auth client=”vpn” type=”auth-reply” aggregate-auth-version=”2″>
After sending above-stated requirement to a vulnerable service, the VPN service becomes denied, and the current SSL VPN connection gets disconnected.